Windows Registry is a database which store all kind of windows system configuration. It store all the configuration about Kernel, Device, User configuration etc.
As a penetration tester or a advanced system administrator we need to have a clean understanding of Windows Registry. Because often times we need to configure the system manually. That is why I am going to explain the basic of windows Registry which i learned from various resource and experience and self-taught.
How the Registry deal with windows system:
The Boot configuration stored in Windows registry. Whenever the Windows system boot it first read all the configuration from registry hive then load into memory . The Next turn of Kernel!
When the Kernel start Initializing , it first read other configuration such as Devices configuration.
Then it start reading other required configuration such as Users configuration, Wallpaper, Screen saver etc.
There are many information is stored in registry. Keeping all information in one registry is horrible. There are different structure for each registry, here are few of them:
REG_NONE == NONE VALUE
REG_SZ == UNICODE STRING
REG_BINARY == BINARY DATA
REG_DWORD == 32 bit NUMBER (Double Word Number)
REG_DWORD_BIG_ENDIAN == A DWORD value, a 32-bit unsigned integer
REG_LINK == Symbolic Link
REG_FULL_RESOURCE_DESCRIPTION== Hardware Description
REG_QWORD == 64 bit Number
And The ROOT KEYS:
Let’s Explain these root keys below,
HKEY_CLASS_ROOT:Abbreviated HKCR, HKEY_CLASSES_ROOT contains information about registered applications, such as file associations and OLE Object Class IDs, tying them to the applications used to handle these items
Here all the configuration of currently logged in users is stored.
There are 12th Subkey under the KKEY_CURRENT_USER:
AppEvents == Sound/Event
Console == Windows setting such as Scree color, width, Font size etc
Control Panel == Wallpaper, screensaver, mouse etc. Screenshot:
Environment == Environment variable definitions
Keyboard Layout == Keyboard Layout (I.E U.S)
Network == Network Driver Setting
Printers == Printer Connection setting
Software == User-specific software information
Volatile Environment ==
In this root key all the system configuration is stored, such as HARDWARE, SAM, SOFTWARE,Computer name etc is stored in this root key:
Maleware,Backdoor,Keylogger and other malicious software also target this key.
HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user profile actively loaded on the machine, though user hives are usually only loaded for currently logged-in users
If logged in as “weird science” then I can see there is a subkey :
Perhaps don’t need to explain it. If you still want to know about it then please search on Google. 🙂
Microsoft(copied and pasted): A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.
Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user’s hive contains specific registry information pertaining to the user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERSkey More : http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx
Next I will explain some security task in Windows registry when I will have some security related work in registry, Hope it will be soon 🙂 . Stay tune !
Feel Free post your any questions related of windows registry! 🙂